diff --git a/provision-contest/ansible/group_vars/domserver.yml b/provision-contest/ansible/group_vars/domserver.yml
new file mode 100644
index 00000000..f71da846
--- /dev/null
+++ b/provision-contest/ansible/group_vars/domserver.yml
@@ -0,0 +1,2 @@
+# If set, configure the real_ip_from header in NGINX to trust a proxy
+# FRONT_REVERSE_PROXY: 192.168.0.1
diff --git a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2 b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2
index a37c690b..cf411ae1 100644
--- a/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2
+++ b/provision-contest/ansible/roles/domserver/templates/nginx-domjudge-inner.j2
@@ -69,5 +69,10 @@ add_header X-Content-Type-Options "nosniff";
 add_header X-XSS-Protection "1; mode=block";
 add_header X-Robots-Tag "none" always;
 
+{% if FRONT_REVERSE_PROXY is defined %}
+set_real_ip_from {{ FRONT_REVERSE_PROXY }};
+real_ip_header X-Forwarded-For;
+{% endif %}
+
 error_log /var/log/nginx/domjudge.log;
 access_log /var/log/nginx/domjudge.log dj_access;